Screaming in the Cloud
aws-section-divider
Audio Icon
26 Years of Corey Quinn with Brandon Shaw
Episode Summary
Brandon Shaw is a senior program manager in security operations at Discovery, Inc., an entertainment company that owns several premium cable brands, including Discovery Channel, HGTV, Food Network, and TLC. Previously, he worked as an applications manager at CRISP and a senior software applications engineer at CompuGroup Medical, among other positions. Brandon has a slew of certifications, including CISSP, CISM, CDPSE, CCSK, PMP, ITIL, and three from AWS.

Join Corey and Brandon as they talk about their 26-year friendship and how their lives have diverged and converged over that time, what Corey was like as a kid, what it was like growing up in Maine and why Corey and Brandon are happy they left The Pine Tree State, how Stephen King’s writing is similar to living in Maine, what exactly it is that Brandon does at Discovery, how information security is always moving faster than we think, the journey that Brandon took to end up at Discovery, the CISSP and what you have to do to achieve it, and more.
Episode Show Notes and Transcript
About Brandon Shaw
Brandon Shaw is a senior program manager in security operations at Discovery, Inc., an entertainment company that owns several premium cable brands, including Discovery Channel, HGTV, Food Network, and TLC. Previously, he worked as an applications manager at CRISP and a senior software applications engineer at CompuGroup Medical, among other positions. Brandon has a slew of certifications, including CISSP, CISM, CDPSE, CCSK, PMP, ITIL, and three from AWS.


Links Referenced: 

Transcript
Announcer: Hello, and welcome to Screaming in the Cloud with your host, Cloud Economist Corey Quinn. This weekly show features conversations with people doing interesting work in the world of Cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.


Corey: This episode is sponsored in part by our friends at Linode. You might be familiar with Linode; they’ve been around for almost 20 years. They offer Cloud in a way that makes sense rather than a way that is actively ridiculous by trying to throw everything at a wall and see what sticks. Their pricing winds up being a lot more transparent—not to mention lower—their performance kicks the crap out of most other things in this space, and—my personal favorite—whenever you call them for support, you’ll get a human who’s empowered to fix whatever it is that’s giving you trouble. Visit linode.com/screaminginthecloud to learn more, and get $100 in credit to kick the tires. That’s linode.com/screaminginthecloud.


Corey: This episode has been sponsored in part by our friends at Veeam. Are you tired of juggling the cost of AWS backups and recovery with your SLAs? Quit the circus act and check out Veeam. Their AWS backup and recovery solution is made to save you money—not that that’s the primary goal, mind you—while also protecting your data properly. They’re letting you protect 10 instances for free with no time limits, so test it out now. You can even find them on the AWS Marketplace at snark.cloud/backitup. Wait? Did I just endorse something on the AWS Marketplace? Wonder of wonders, I did. Look, you don’t care about backups, you care about restores, and despite the fact that multi-cloud is a dumb strategy, it’s also a realistic reality, so make sure that you’re backing up data from everywhere with a single unified point of view. Check them out at snark.cloud/backitup.


Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Brandon Shaw, Senior Program Manager of information security at Discovery, Inc. Brandon, welcome to the show.


Brandon: Thanks for having me.


Corey: So, you’re at Discovery, not Discover Financial. I keep running into those companies in various cloud stories, and I always get the two of them confused. So, you're the one where I talk to about Shark Week, not credit cards, right? 


Brandon: That's us. Correct. 


Corey: Fantastic. And we'll get into that, I'm sure, but first, a little backstory here. I think at this point, we've known each other for, what, 26 years.


Brandon: Yeah, something like that.


Corey: I mean, at this point, our relationship has grown up, gone away to college, come back, moved into our basement, gotten through the surly stages, and is now trying to venture back out into the world, but there's a pandemic on, so it's having some trouble.


Brandon: Yeah, you forgot the part about both of us getting married both of us having kids, both of us—


Corey: That's right. We're both freshly back from paternity leave—


Brandon: That's right.


Corey: —as of the time of this recording.


Brandon: [laugh]. Yeah. And congratulations again.


Corey: And to you as well. We both had our second kid. At some point, it's weird, our lives sort of diverged for a while, and then wound up going back into something that resembles, “Oh, I could actually justify having you on the show now. Great.” But it's amazing how much our lives really have, I guess, split apart and then reconverged. 


It feels almost like it's a story about technology. I mean, as soon as we use the word converged, I'm sure Nutanix somewhere is perking up, “Oh, hyper-converged? That's our word you owe us $1 for using it.” But I don't think they're sponsoring this episode. If they are, oops.


Brandon: Yeah, so I wanted to jump in, just for all of your friends and fans—


Corey: Both of my friends, let's not over-exaggerate the case.


Brandon: Excuse me. So, I want to jump in and explain to both of your fans this week what Corey was like, as a kid.


Corey: Oh, dear God, here we go. I feel like I've been bamboozled.


Brandon: You have been. What I want to say is, the reason why we've been friends for 26 years is that you have definitely been the guy—and always have been—who is not afraid to be your most authentic self.


Corey: Oh, that's a very kind way of putting it. Thank you. In practice, it's that I have no filter and no social skills. The only challenge was living long enough to evolve it into a way where it was at least halfway socially acceptable. Let's not overstate that.


Brandon: Well, I mean, that was really the thing. I mean, I always appreciated you and your sense of humor, but—


Corey: I think you were the only one.


Brandon: [laugh]. Still—maybe. But a lot of people when we were growing up, they were just like, “Oh, Corey. That's the same tired joke for the 15th time today. Just give it a rest.” But for you, it's still funny. And what, you never give up on those jokes.


Corey: I never do. My jokes are for me. And if other people like them, that's great. And if they don't, well, get your own podcast.


Brandon: So, I will say that I'm really glad that you've been able to find this forum for yourself as a place to have people listen to you, whether they want to or not.


Corey: Exactly. The nice part about podcasts as a medium is that people tend to listen to these things with headphones on when they're washing the dishes or mowing the lawn, which means that they generally find it very inconvenient to stop the podcast, so they're really forced to listen to me. It's a captive audience model more than anything else.


Brandon: Well, absolutely. And so it's different than being in the middle of French class when you're trying your jokes out. But certainly to, again, both of your fans, whether you find him funny, charming, abrasive, whatever, you are the same guy that I met, like 26 years ago. So—


Corey: Uh-oh. Well, let's talk a little more color on that. Why not? It's my show; I can talk about whatever the hell I want. 


Brandon: Sure.


Corey: The problem that I had was that my dad was one of those folks who always wanted to be somewhere else, doing something other than what he was doing. So, I come by it honestly. In his case, that manifested as being a bit of a nomad. So, midway through the seventh grade, I wound up moving to Maine. State motto:, “Not a lot of people come here on purpose.” 


And because I was a lucky child, I was midway through a series of various lung surgeries, so I missed a hell of a lot of school—I wouldn't say I was missing it, Bob—and I was socially stunted. I was always having to make new friends, which I was terrible at—still am. And it was this weird dynamic, where you were one of the only people at the time who said, “Hey, look at you, you're a sad, lonely loser. Me too. Want to hang out?” 


And it was really something redeeming about that. I mean, despite the fact that our lives have taken us in very different directions, we live on opposite coasts, et cetera, it's always been like coming home whenever you and I have a conversation. “Oh, it's been a year since we last spoke. Great, let's play catch up for 20 minutes.” And then it's as if no time had passed. 


The other side of it, and it's a bit of a challenge on a show like this, is whenever I talk to you, suddenly I revert back to being that angsty 12-year-old who needed to go and prove himself, and is terrified that no one really likes him. It's the reason I've never had my mother on the show.


Brandon: I thought that we already covered that before. You still are the same angsty 12-year-old.


Corey: Absolutely. Except I'm larger now and don't have the metabolism that I once did. So, you and I met where we spent our formative years respectively, in a small town in Maine—because it's not like there are large towns in Maine—and some of the best things that we ever achieved on a personal triumph basis was leaving Maine. Now, I know this annoys RedMonk’s Stephen O'Grady, who lives in Portland and loves Maine, but I spent enough years there to say that growing up there, it sucked. I don't miss it in any sense. What's your take on it?


Brandon: Well, let's first look at the numbers, right? And that's the biggest part is Maine is number 37 out of 50 states for economical opportunity.


Corey: It was also the second least diverse state in the country as well.


Brandon: And least diverse state in terms of religious diversity. As well as most importantly, Maine is number 42 out of 50 states in infrastructure and number 45 out of 50 for internet access. People like us today, now, cannot live in Maine. If you enjoy technology, and you want to work from home, chances are you can't if you're living in Maine. We have so many friends who are waiting for 5G to come to their forest. It's not happening. It's not happening. Besides that, there is no opportunity. It's cold. It's awful. The only thing that you can do in Maine is sit around in the cold and develop your personality disorders.


Corey: Yeah, exactly. I dated a girl who was valedictorian of her chemical engineering class, and she was on the front page of the Maine Sunday Telegram—which you can probably already tell is the largest and only newspaper in Maine—and the whole story was about how she had to leave the state to get a job. Every year, the governor goes to the University of Maine and does a whole commencement speech about how—stay in Maine. With what jobs? It's impossible—at least the time that I lived there—to effectively grow yourself professionally living there compared to the opportunity available in other places. And maybe that's changed. It's been 20 years. But I kind of question that.


Brandon: Well, University of Maine's biggest son is Stephen King, who is probably the only person that I know who's made a name for staying in Maine. And anybody on Twitter can go ahead and tell me wrong, right. But look at what he's doing.


Corey: Yeah, Anna Kendrick grew up in Cape Elizabeth, the next town over from where we were, and how did she succeed? She got the hell out of Maine.


Brandon: Yeah, but let's go back to Stephen King for a second. What is he known for? Sitting in the dark, writing things that scared the shit out of you.


Corey: Yep. And all he’s really doing was telling the stories about his typical week.


Brandon: Yeah, this is what it's like living in Maine. Get out. In all of his stories, there's something about trying to get out and you can't do it.


Corey: That is the best synopsis of living in Maine that I can possibly imagine. One of my favorite Twitter accounts—I know you don't do it—is @maine_gov, where it's a parody account where it winds up crapping all over Maine, to the point where the governor's administration had to respond with, “This account and its posts are not affiliated with the state government.” And everyone knew that because it had a personality.


Brandon: All right, that may actually get me on Twitter. You might have sold me there. 


Corey: Exactly. That's all it takes. So, the audience generally knows what I've been up to, but let's talk about you. You've been at the Discovery Channel, slash Discovery, Inc. Slash Shark Bait for a while now.


Brandon: Yeah.


Corey: I mean, you want to talk about ways that we're not the same, you've had a gift of being able to be at the same place for multiple years without either getting bored and leaving, or—in my case, more often—getting yourself fired. So, it's a different world, one I'm deeply envious of, but you've been at Discovery for a while, what do you do there?


Brandon: So, my job here is really as the senior program manager for the operations arm of our cybersecurity team. So, it is my role to coordinate incidence response activities and remediation efforts across the entire global enterprise. It is also my job to stay engaged with internal and external teams and make sure that they can understand and can attest to all the appropriate security measures and best practices that we provide to it.


Corey: Now, I'm going to say the quiet part out loud because that's what I specialize at. You’re information security; convince me that you're not effectively ablative armor for the company where your job is to sit around and wait for the data breach, and then be ceremoniously fired to protect other executives with I would say, other loftier positions, or—let's be honest—more political savvy, change my mind.


Brandon: So, that's absolutely fair. I'm not going to say that I am not on the chopping block next time something happens. But really, I will say that Discovery has put itself in the line of fire with a lot of our acquisitions, with our footprint, with everything that we do. We have a massive, massive company. 


And the truth is, is we don't want to be that same media company that, back in 2014, hackers accessed and wiped personal data from 10s of thousands of employees and users. And that's just who we don't want to be. So, it's my job to actually make friends with everybody across the environment and to bring them on instead of pull them along, kicking and screaming, to understand why we need to have our security best practices.


Corey: One of the challenges I've always found with infosec is ignoring the trash fire of a community that most of it seems to turn into, invariably, it's been this idea that I deal with on the cost side as well, though at somewhat lower stakes, where people only really seem to care about either cost or security, right after it really would have been beneficial for them to care about those things. So, right now, I'm in this weird space where, at least on the cost side, if people don't optimize their cloud bill, and then they have to bring me in, well, the cost there as they spent a little bit extra than they should have until I'm engaged. On the security side, it feels like there's always an announcement about, “Your data is extraordinarily important to us,” is what companies say, always right before they announce the data breach that showed that security was clearly nowhere near as important to them as it should have been. It always feels like it's a back foot thing that can always be punted until suddenly it bites you in the face. How do you get away from that reactive mindset?


Brandon: That is a great question. And I will say first that, as a program manager, that I work for a great team of people who are futurists and enjoy learning about new technologies, and especially not just use but abuse cases for all of the opportunities that we have. And so, staying ahead of security is really the ideal goal. But really it is about, in my opinion, controlling surface area, and knowing whether you're leaving the back door open, whether the door is open at all, and making sure that you close it. But the truth is, is that information security, it's always moving faster than we think it is. 


And especially if you have somebody who is very highly skilled and motivated, they're going to find a way. And I mean, that's the ugly truth about security. So, instead of us saying that we're doing this for lip service, and I mean that pejora—excuse me, instead of just saying that we're doing this for lip service, we mean it. We're not going to be a company without our customers, we're not going to be a company without our product. And it is our job to serve our customers and our content in the best way possible.


Corey: And credit we're due, there's a lot of companies out there where they get it wrong, and people love the twist the knife in them. I don't know too many people who have negative associations with Discovery as a whole. Maybe the Bloodhound Gang song from years past, but that's about as far as it goes. There's something to be said for being a household name, but not pissing people off as you do it. Meanwhile, I'm not a household name, and I still piss everyone off as I do it. So, back when we were going to school together, you were focused on computer engineering. It seems like there's a few steps between that and getting into information security, how did you get to where you are?


Brandon: So, I think that you'll recall that when I got into college, I actually hated computers. And getting out of college, I didn't want to do anything with computers at all. I think I've read some statistic out there that 10 percent of people who graduate with a degree do something tangentially related to their major. And so, my goal was to be part of the 90 percent because I was just burnt out. But after I took a little bit of a detour and taught English in Japan for a couple of years, I came back and realized that I actually missed it. 


And so my first real-person job, if you will, was as a software engineer, and it took me about two weeks before they said, “So, what do you think about project management?” Because I am the worst programmer. But just being close, just being in the Washington DC area, I thought that there would be so many opportunities to get into cybersecurity. So, that's what became my graduate degree, in information assurance. And so I just kind of rolled with that. It was really kind of organic; just looking at the opportunities that we had in the area—or that I had in the area, excuse me—and taking advantage of everything that I could.


This episode is sponsored by our friends at New Relic. If you’re like most environments, you probably have an incredibly complicated architecture, which means that monitoring it is going to take a dozen different tools. And then we get into the advanced stuff. We all have been there and know that pain, or will learn it shortly, and New Relic wants to change that. They’ve designed everything you need in one platform with pricing that’s simple and straightforward, and that means no more counting hosts. You also can get one user and a hundred gigabytes a month, totally free. To learn more, visit newrelic.com. Observability made simple.


Corey: How do you work in infosec, without becoming profoundly paranoid? And that's not entirely a tongue in cheek question. Something I've noticed about my friends who've gone down that path is increasingly they start to view everything as this hard divide of everything is a potential vector for being exploited, and it starts to color their personal relationships as well. Like, we all know the types, the folks who email you, but you don’t know what it says because they GPG-encrypt the thing, and who can be bothered to decrypt it in the modern era? You've never gone down that path. Is there a philosophical reason behind that? Are you just a terrible infosec person and no one ever pointed it out before? What's the answer?


Brandon: Well, I will say that my role as a project manager, as a program manager, as the leader of the team, really kind of brings a different perspective than the regular infosec person. And yeah, it's really easy to go to the place where the sky is falling, and nothing's right, and the whole world is burning, but that's a really hard message to sell. Nobody wants to hear that. Nobody wants to be presented with a problem without understanding what you can do to fix it. And so that's my job. 


In part, it really is a sales position. I am not—nobody's buying anything here, right? Every contact is an opportunity for me to educate people. And that's really where my passion lies, is learning new technologies and understanding new use cases, and being able to say, “Hey, wait, this is really cool, but maybe we want to pump the brakes.” Or, “This is really cool, and let's go for it. I don't see any problems with this.” 


And so, I see infosec as enabling technology. It's really easy for an infosec to say, “No/ whatever it is, no, you can't do that. We're not going to let you.” Please submit a form and we're going to [00:19:52 unintelligible] again in 30 days.


Corey: Oh, yeah, you have infosec, sysadmin types, and engineers. And those are the three real points on the spectrum of, “No.” Where engineers are, “Sure, we can do that.” A sysadmin is, “Neeaah,” and infosec is, “No,” because it's easier. At some point that doesn't work anymore. 


You have to come up with something different. The amazing part of all of it to me is just that there's so much that can be done if you work collaboratively with the business. And historically, a lot of folks who got into infosec didn't get to do that. And when I dabbled in it, the thing that really disillusioned me with it—besides the crappy people—was that it was less about breaking into systems or defending systems against being broken into than it was about time to fill out some forms for an auditor. And policy and governance are less exciting than—you know, as all the movies show, wearing hoodies, and gloves, and a mask to type into a laptop at a dark street corner somewhere. Which, of course, so we all write code, right?


Brandon: Yeah. I mean, who doesn't want to drop from the ceiling and break into a server that is guided by laser sensors that you can’t stand around? That sounds really cool.


Corey: That feels like a problem that someone at AWS winds up worrying about every day of their lives.


Brandon: And why shouldn't they?


Corey: But, I pay them to worry about that so I don't have to.


Brandon: You're right; you're absolutely right. It is paperwork, and it is a lot of reading, and it is communicating and collaborating. And I think that people who get into infosec just because they love the power, and they love to say no, are really probably the wrong people to be in such a friendly and well-liked company, as Discovery.


Corey: So, recently, you wound up adding some letters to your name. Now, that doesn't mean that you went out and got a doctorate, it doesn't mean that you've decided to retcon yourself into being the fourth person in your family line. But rather, you got the CISSP, which sounds an awful lot like it's a word I don't want my daughter to hear. So, I'm spelling it to you. What is it really?


Brandon: CISSP, it stands for the ‘Certified Information Systems Security Professional.’


Corey: I looked into it once upon a time because I have my flaws, but one of my strengths is that I test well. So, sure I can sit down and take a test. Turns out in order to even qualify for the exam, you have to have done a fair number of things that I'd have to really stretch the truth to qualify for.


Brandon: Yes, and I will actually say that I have heard stories where people have used upgrading their own personal laptop, as five years of experience for the CISSP. 


Corey: Well, that really depends on their laptop, now doesn’t it?


Brandon: I'm just saying, right. But the experience that you need is really, really kind of vaguely worded, and you are looking at eight domains where you need to be able to attest to just a couple of them. So, yeah, you can be a mail admin, or you can be a network engineer, or you can just do a lot of paperwork for an auditor, and you can still attest to five years’ experience towards the CISSP. 


Corey: So, I used to have a very negative approach to certifications in general. I thought that they were a waste of time, that I would be much better off having built something myself and putting that on the resume instead. And it took me a long time to realize that that was a very naive perspective on a couple of levels. One is that everyone learns differently. And there's an awful lot of privilege that gets baked into the well just do it for 10 years, and then it's on your resume, it's easy to say from the other side of that. 


When you're starting out, it becomes valuable. And from the hiring side as well, it's convenient because I know that if someone has a certification in technology, that does there's at least a good chance that we can have a conversation around the topic in question using localized terms of art without having to stop and make sure that we're on the same page. Now, the other side of it that I haven't experienced a lot of is you're a giant company and you're trying to hire 5000 people with cloud skills, or security skills, or whatever it happens to be. You need a formalized training and testing program if you're uplifting your entire existing staff skill set, who is where on their path. So, certification programs in that sense, also tend to add significant value. So, my old take of certifications are garbage and it's a ding against you was immature and frankly, wrong.


Brandon: Well, it's an easy joke to make to say, “I have 20 or so letters after my name, and so I am just making it really easy for HR professionals to find me in a crowded pool of applicants.” But from my perspective, I mean, I live in the DC area. There's consultants everywhere, and where I live, and it's very much about accumulating letters and displaying all these certifications on a LinkedIn resume. But really where my perspective is, is I'm a project manager. I've been doing this for 13 years now. 


But really, what does this mean? Project managers, they serve as a jack of all trades, but a master of none and so I will be called on to fit a variety of technical leadership roles based on the nature of the work, or whatever I want to do. But as soon as I say something dumb, like, “Let's go install the agent on the lambda function,” or, “Why don't you just reboot S3?” Is going to lose all credibility and the project is going to fail. So, it is really, for me, a measure of my success and my capacity as a project manager, not just to speak to these pieces and to speak to all of the letters behind my name, but t0 also not be the dumbest person in the room.


Corey: That's my job.


Brandon: And you do a great job at it. [laugh]. But truly, the best bit of career advice I can say, is, whatever your opinion is on these certifications, I feel that they are a good measure to understand what it means to have a general level of understanding on a topic. And it's also good to have external validation, to prove that I am knowledgeable in a particular subject area. And so it is really working to my advantage not to be the dumbest person in the room.


Corey: I was doing a webinar thing recently, where there was a Q&A section and someone asked, “If I know nothing about security, what do I need to know to get started so that I can wind up building something in the cloud without blowing my own foot off?” And the answer was, “Oh, God, I don't know.” What's your answer to that one?


Brandon: That's actually a really tough question. And I'm going to punt on that one.


Corey: Cool. No, that's fair because I don't have a good answer, either. It's, uh, “Yeah. Oh, God, if you don't know where you're going, where does it start?”


Brandon: “I really just love auditing. How do I get into auditing?” I just don’t know that.


Corey: Yeah. It’s like, “I like computers. How do I get into those?” “Ahh.” It's such a big topic. But it's also a problem because you don't want people to have to go through eight years of security school to be able to write a hello world.


Brandon: No. And that's really kind of the point that I will say is kind of a knock against AWS, is that you really do need to spend, like, hundreds of hours, just figuring out everything that's out there. There is no taking a sip from the firehose with AWS; there is no dipping your toes into security configurations. You really need to dive right in and take the time to ingest all of it. And that's the biggest problem. 


My biggest beef with AWS is that there is no guidance that they really do provide, especially for casual users or small startup companies that are not going to pay for a business tier support package.


Corey: That's part of it, too, but there's also this idea that what AWS says and what AWS does are two very different things. You have this idea of a shared responsibility model, which winds up requiring 45 minutes to explain and overly complicated graphs, the honest fact of it is, they handle the physical stuff; you handle the configuration stuff. If you get breached, it's probably your fault. The problem is, you can't tell the customer who just got breached that it was, “Because, your fault. The end.” 


Wow. What do we do with the next 44 minutes and 30 seconds of, we sit here awkwardly? So, you need to have a more convoluted story there. And also, a lot of the decisions they made—which I don't blame them for—but the way that the world has evolved has dramatically set people up for failure. Here's S3. 


It is simultaneously this public-facing static website service that works at a global scale super easily. It's also a place where you can store your deep dark, encrypted backup company secrets. And the fact that the same thing does both of those means that it's relatively easy to trip and make it do both of those things simultaneously, and that's where people get into trouble.


Brandon: I mean, absolutely. We have a culture where it's so easy to just point fingers. And I can't just write my password down, stick it to my monitor, and then get mad at Post-It for my account getting compromised. That's just not how it works. And when you partner with a cloud provider like AWS, you do get the ability to offload risks, like costs, and managing your own platforms and services, but you don't get to transfer liability or responsibility for this.


Corey: You can transfer work, but not the responsibility. That's the thing that always bothered me about breach disclosures where, “A third-party contractor did—” I'm going to stop you there. Look, I don't have a relationship with your third party contractor; I have a relationship with you. You've been a custodian for my sensitive data that I have chosen—ideally chosen. If you're Equifax, maybe not—but I theoretically have chosen to entrust you with, and your lack of vetting of your contractors is a problem. 


To date, one of the best things I've ever seen was the Pokémon Company. There was a Wall Street Journal article on it where they declined to do business with a third party vendor based, in part, upon that vendor’s lack of security controls around how they interacted with S3 buckets. I thought that was phenomenal. If you don't validate that the people you're entrusting with customer data are doing things right, then that's not the vendor’s fault. That's your fault. 


Brandon: Oh, absolutely.


Corey: Lord knows I filled out enough vendor security forms from the consulting side that it makes sense. I know what these things look like, and most of them are fairly reasonable. There are times it turns into maddening stuff like, “What kind of antivirus do you run on everyone's laptops?” It’s… “We are not that kind of company. I'm sorry.”


Brandon: No, and that's absolutely the point, though, right? I'm going to push back and I'm going to say that I want to have all that information. If I'm going to partner with you, if I'm going to give you my business, then I need to know that you are a great custodian. And if you can’t answer that—what antivirus you have on your laptops—because you don't know, or you don't care, or you don't do it, maybe you should.


Corey: So, what's next for you? You've been at Discovery for a while, you were an infosec project manager; now you're an infosec program manager, which I assume based upon no idea how real media companies work that you're in charge of programming. So, what can you tell us about the next Shark Week?


Brandon: Awesome question. No, program manager is just really kind of the man behind the curtain for this. It's similar to a project manager, but different letters that you can use for Scrabble. That said, what my next step is? Just hanging out. I'm happy to be at Discovery. We're doing great. I’m happy to be a part of such a technologically progressive company. It is so easy to knock Discovery for just being Shark Week, but we're massive. We're Shark Week, we’re the Food Network, we're HGTV. 


Our entire portfolio is over 150 channels broadcast across 220 countries and territories, in over—I believe—50 languages, simultaneously. I have coworkers who have gotten Emmys. I actually sat across the desk from them in the cube farm. That is really cool.


Corey: I’m having a really hard time here just contextualizing this with the fact that we used to rotate around to each other's basements to play D&D 20 years back, and it’s… yeah, the world has changed. I guess we're still playing make-believe, but now the stakes have gotten a little higher. Which, you know, I'll take it. I look back at the confused kids that we were, I'm pretty happy with where we wound up all things considered. 


Brandon: Yeah, I think that we're doing all right for ourselves.


Corey: We really are. So, if people want to learn more about who you are, what you're doing, what you're up to, and I guess, honestly reach out to you for inside baseball stories they can use to eviscerate me when I have them on the podcast in the future, where can they find you?


Brandon: I am only on LinkedIn right now. I do not do the social media thing, and I do not do Twitter.


Corey: I'm still learning how to shitpost effectively on LinkedIn. It's a process.


Brandon: Yeah, but no Twitter. I have kind of drawn my line in the sand that is the line that I will not cross.


Corey: I don't understand some of your life choices. But again, different strokes for different folks. Brandon, thank you so much, once again, for taking the time to catch up with me. It's always a pleasure.


Brandon: No, it's mine.


Corey: Brandon Shaw, program manager for information security at Discovery, Inc. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, and tell me why you didn't like our episode here about Snark Week.


Announcer: This has been this week’s episode of Screaming in the Cloud. You can also find more Corey at screaminginthecloud.com, or wherever fine snark is sold.


This has been a HumblePod production. Stay humble.
View Full TranscriptHide Full Transcript